[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAF1ivSZN8PyPhAkyaFL-GsTbnr4uwP=zzzjZbgqOKts_wgngYA@mail.gmail.com>
Date: Thu, 23 Aug 2012 23:10:37 +0800
From: Lin Ming <mlin@...pku.edu.cn>
To: "Banerjee, Debabrata" <dbanerje@...mai.com>
Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"Hunt, Joshua" <johunt@...mai.com>,
"dbavatar@...il.com" <dbavatar@...il.com>,
"Lubashev, Igor" <ilubashe@...mai.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: IPv6 deadlock with CONFIG_IPV6_ROUTER_PREF
On Fri, Aug 17, 2012 at 1:58 AM, Banerjee, Debabrata
<dbanerje@...mai.com> wrote:
> This code tries to send a neighbor discovery ICMPv6 packet for router
> reachability while read_lock(tb6_lock) is held. The send may want to cause
> a fib6_clean_all() garbage collection, which will try to take
> write_lock(tb6_lock), resulting in deadlock. Garbage collection becomes
> more likely under high load of cloned routes, so this is exploitable as a
> DDOS attack, given enough attack hosts in relation max_size of the route
> table (default of 4k). I checked from 3.6-rc1 back to 2.6.32, it is
> present everywhere.
How about moving the garbage collection to a kernel thread?
Then the write_lock(tb6_lock) in this kernel thread won't cause such
kind of dead lock with other threads.
Lin Ming
>
> Stack trace below.
>
> Thanks,
> Debabrata
>
> [46476.055009] Pid: 7963, comm: xxxx Not tainted 2.6.38-amd64
> [46476.055009] RIP: 0010:[<ffffffff812878c9>] [<ffffffff812878c9>]
> __write_lock_failed+0x9/0x20
> [46476.055009] RSP: 0018:ffff8801a099f8f0 EFLAGS: 00200287
> [46476.055009] RAX: ffff8801a099ffd8 RBX: 0000000000000000 RCX:
> 0000000000000000
> [46476.055009] RDX: 0000000000000000 RSI: ffffffffa0196e60 RDI:
> ffff88020bc95454
> [46476.055009] RBP: ffff8801a099f908 R08: ffff8801a099fb78 R09:
> 0000000000000003
> [46476.055009] R10: ffff8801a099fa38 R11: ffff88020ebf1c00 R12:
> ffffffff8100370e
> [46476.055009] R13: 0000000000000000 R14: 0000000000000000 R15:
> 0000000000000000
> [46476.055009] FS: 00007fa1f4a596d0(0000) GS:ffff8800e7c00000(0063)
> knlGS:00000000f6a5fba0
> [46476.055009] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
> [46476.055009] CR2: 00000000f7791000 CR3: 00000001a0bcc000 CR4:
> 00000000000006f0
> [46476.055009] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [46476.055009] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
> 0000000000000400
> [46476.055009] Process xxxx (pid: 7963, threadinfo ffff8801a099e000, task
> ffff8801a099c880)
> [46476.055009] Stack:
> [46476.055009] ffffffff81482c17 ffff8801a099f928 ffff88020bc95454
> ffff8801a099f948
> [46476.055009] ffffffffa01972f9 ffffffffa0196e60 0000000000000200
> ffffffff81960a80
> [46476.055009] 0000000000000d80 000000000000ea60 00000001004cbccc
> ffff8801a099f968
> [46476.055009] Call Trace:
> [46476.055009] [<ffffffff81482c17>] ? _raw_write_lock_bh+0x27/0x30
> (deadlock on write_lock tb6_lock)
> [46476.055009] [<ffffffffa01972f9>] fib6_clean_all+0x49/0x90 [ipv6]
> [46476.055009] [<ffffffffa0196e60>] ? fib6_age+0x0/0x80 [ipv6]
> [46476.055009] [<ffffffffa019744f>] fib6_run_gc+0x4f/0xe0 [ipv6]
> [46476.055009] [<ffffffffa0193547>] ip6_dst_gc+0x97/0x120 [ipv6]
> [46476.055009] [<ffffffff813d5515>] dst_alloc+0xa5/0xc0
> [46476.055009] [<ffffffffa0196c91>] icmp6_dst_alloc+0x51/0x170 [ipv6]
> [46476.055009] [<ffffffffa019ac3f>] ndisc_send_skb+0x6f/0x2c0 [ipv6]
> [46476.055009] [<ffffffff81481b2d>] ?
> schedule_hrtimeout_range_clock+0xcd/0x110
> [46476.055009] [<ffffffffa019aef1>] __ndisc_send+0x61/0x80 [ipv6]
> [46476.055009] [<ffffffffa019afbc>] ndisc_send_ns+0x6c/0xa0 [ipv6]
> [46476.055009] [<ffffffffa0195459>] rt6_probe+0xc9/0xd0 [ipv6]
> [46476.055009] [<ffffffff81120e50>] ? __pollwait+0x0/0x100
> [46476.055009] [<ffffffffa0195575>] find_match+0x115/0x180 [ipv6]
> [46476.055009] [<ffffffffa01956b3>] ip6_pol_route+0xd3/0x2d0 [ipv6]
> (read_lock tb6_lock)
> [46476.055009] [<ffffffffa01958c6>] ip6_pol_route_output+0x16/0x20 [ipv6]
> [46476.055009] [<ffffffffa0196dfe>] fib6_rule_lookup+0x1e/0x20 [ipv6]
> [46476.055009] [<ffffffffa01948c1>] ip6_route_output+0x61/0xa0 [ipv6]
> [46476.055009] [<ffffffffa0188232>] ip6_dst_lookup_tail+0xe2/0xf0 [ipv6]
> [46476.055009] [<ffffffffa0188255>] ip6_dst_lookup+0x15/0x20 [ipv6]
> [46476.055009] [<ffffffffa01aca8c>] tcp_v6_connect+0x26c/0x6e0 [ipv6]
> [46476.055009] [<ffffffff81235a36>] ? security_sk_alloc+0x16/0x20
> [46476.055009] [<ffffffff8142be49>] inet_stream_connect+0x2a9/0x300
> [46476.055009] [<ffffffff81482be4>] ? _raw_spin_unlock_bh+0x14/0x20
> [46476.055009] [<ffffffff813be329>] ? release_sock+0xd9/0x110
> [46476.055009] [<ffffffff813bc00f>] sys_connect+0xaf/0xd0
> [46476.055009] [<ffffffff813e4077>] ? compat_sys_setsockopt+0x87/0x220
> [46476.055009] [<ffffffff81150e28>] ? compat_sys_fcntl64+0x1d8/0x380
> [46476.055009] [<ffffffff813e4c93>] compat_sys_socketcall+0x93/0x1f0
> [46476.055009] [<ffffffff810354ec>] cstar_dispatch+0x7/0x32
> [46476.055009] Code: 00 00 48 8b 5b 20 48 83 eb 07 48 39 d9 73 06 48 89 01
> 31 c0 c3 b8 f2 ff ff ff c3 90 90 90 90 90 90 90 f0 81 07 00 00 00 01 f3 90
> <81> 3f 00 00 00 01 75 f6 f0 81 2f 00 00 00 01 0f 85 e2 ff ff ff
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists